Is the ICO being too harsh with its GDPR fines?

This week, the UK Information Commissioner’s Office (ICO) issued two intentions to fine organisations for breaches of the GDPR. It has not issued these GDPR fines yet, and both organisations still have an opportunity to respond to the intention with reasons why they feel a fine may not be appropriate.

Who and what are the GDPR fines for?

The organisations being targeted are:

British Airways, for ~£183 million; and

Marriot Hotel Group, for ~£100 million.

As a brief background: both fines relate to security breaches, where customers of these groups had their personal data compromised because the security measures in place where insufficient. It is also important to note that both organisations reported the data breaches to the ICO, as they are required to do under the GDPR.

Why should we care?

There are two main points that we take out of these notices.

The ICO’s challenge

The first point is that the ICO will have to be very careful in how it decides to apply GDPR fines. Depending on the facts of the current cases, it is possible that the ICO is being unfair, and that the fines are too high.

Like most other data protection laws, the GDPR says that an organisation must put appropriate security measures in place to protect personal data. According to the law, if you do this, and a breach occurs, you should not be penalised. But the question here turns on whether or not the security measures in place are “appropriate”. And this requires us to ask what “appropriate” actually means. Does it mean that the security measures should be reasonable, based on the kind of personal data being processed? Or does it mean that they are completely impenetrable? We believe that “appropriate” can only mean “reasonable”. After all, the world is full of sophisticated hackers who – with enough time and resources – could break through almost any security measures.

And this is where the potential for unfairness comes in. If you have done everything the law requires of you – putting in all reasonable security measures, and notifying the ICO of a data breach as soon as you became aware of it – it would be unfair to be handed a fine for your troubles. Of course, this assumes that you have indeed done everything the law requires of you. If the ICO’s investigation finds that British Airways or the Marriot Hotel Group failed to put appropriate security measures in place, considering the kind of personal data they were processing, then maybe the fines are entirely reasonable.

The ICO’s teeth

The second point is that these notices prove that the ICO means business. Any previous idea of leniency or grace period has clearly ended, and the ICO is fully prepared and willing to take on those companies that it sees as breaching the GDPR.

As the ICO is one of the lead investigators for all other data protection authorities in the EU, this is an indicator that the whole of the EU will likely follow suit. It is also important to notice that the ICO is targeting not only local EU organisations, but global companies too.

What about processors?

The question of fines becomes a little trickier for data controllers if the security breach was caused by one of their data processors (being a service provider who processes personal data on behalf of the controller). This is because, by default under the law, the data controller will be held responsible for their processor’s lack of security.

Because of this, all data controllers should be assessing their data processors, and ensuring that those processors have reasonable and appropriate security measures in place.

A data controller can, however, pass their responsibility under a fine to the processor responsible for the data breach, as long as their agreements reflect this. If a data processor has indemnified their controller, and the processor has not put appropriate security measures in place, then the processor would have to pay the controller the fine that the controller had to pay to the ICO.

What can you do to avoid fines?

Organisations need to make sure that they have reasonable and appropriate security measures in place. This is an information security task, which is one of the many aspects of data protection that they should be focusing on.

You should also be using your data processing agreements as a way of protecting yourself. This includes investigating your data processing relationship, identifying the issues, and making sure that your contracts are handled correctly.